HIPAA Training Instructional Design Example

MedImpact policies and procedures referenced throughout
this training course and standard definitions are available
to you on MedImpact’s Intranet site
Corporate Compliance/HIPAA Compliance Program.
HIPAA PRIVACY 20XX

Training Course Introduction
Hi I’m Nessy, a Lochness Performance
Consultant. Together we will travel
through this course and learn about
HIPAA Privacy. Should you get stuck,
follow my lead!
To move to the next
slide click on Start

Training Course Navigation
To navigate through this course click these buttons:
To
move
forward
To go to
the
previous
slide

Training Course Orientation
After reading each page of the training course, go to the next page by clicking on
the button at the bottom of the screen. You may click on the
button to return to the previous page at any point during the training course. This
training course should take approximately 1 hour to complete.
When you have finished the training course, including answering all of the training
course questions, you must agree to comply with the information, policies and
procedures summarized in this training course. A record of completion of the
training course will be added to your training transcript in the LMS.
Please be sure to print your certificate of completion at the end of the course.

Training Course Orientation
This training course has three (3) primary objectives:
1. Increase your awareness of how to protect Member Individually Identifiable Health Information
(IIHI) and Protected Health Information (PHI) and to implement certain Privacy Right requests.
2. Educate you on MedImpact’s policies and procedures that support the HIPAA Privacy Rule.
3. Test your understanding of the HIPAA Privacy Rule and MedImpact’s policies and procedures.
This training course discusses how MedImpact protects the uses and disclosures of
Member health information as required by the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and subsequent amendments.

Let’s Get Started
I’m
ready!

Why Is This Privacy Rule Training Course
Important?
 It is the policy of MedImpact to protect the uses and disclosures
of Member IIHI/PHI, as required by the HIPAA Privacy Rule.
 Clients and Members trust that MedImpact uses and discloses
Member IIHI/PHI appropriately.
 It is your job to protect the privacy of Member IIHI/PHI, on
behalf of MedImpact, by using the safeguards outlined in this
training course.

Topics
Member IIHI/PHI – Overview
Uses and Disclosures of Member IIHI/PHI
 Protection of Member IIHI/PHI
 Identity and Authority Verification
 Potential & Deliberate Unauthorized Disclosures and/or Breaches of
Member IIHI/PHI
 Five (5) Privacy Rule Training Course Questions
Member Privacy Rights Overview
 Right to Request Privacy Protection for Member IIHI/PHI
 Right to Request Access or Amendment to Member IIHI/PHI
 Right to Request an Accounting of Disclosures of Member IIHI/PHI
 Five (5) Member Privacy Rights Training Course Questions
Privacy Rule Resources
Your Responsibilities
Company Responsibilities
This training course outlines the following MedImpact Privacy Rule policies and
procedures and other requirements that support the Privacy Rule:

Member IIHI/PHI - Overview
 The HIPAA Privacy Rule describes permitted uses and disclosures of Member IIHI/PHI
(i.e., Treatment, Payment and Health Care Operations (TPO).
MedImpact’s Uses and Disclosures of Member IIHI/PHI policy [560-PL-001] supports
permitted uses and disclosures of IIHI/PHI, as outlined in this training course.
IIHI/PHI may be used for TPO and non-TPO purposes (e.g., summary reports); however,
the IIHI/PHI for non-TPO purposes must be De-Identified, as outlined in the following slide.

Member IIHI/PHI - Overview
 IIHI/PHI is considered De-Identified if all identifiable
elements have been removed and there is no reasonable
basis to believe that the remaining information could be used
to identify a Member. MedImpact may use De-Identified
IIHI/PHI to create reports.
This table outlines data elements that may identify an
individual.
 Name
 Address
 Date of Birth
 Fax numbers
 E-mail addresses
 SSN#
 Medical record number
 Account number
 URL (Universal Resource Locator)
 IP (Internet Portal) address
 Any other unique identifying
number characteristic or code that
the CE or BA have reason to
believe may be available to a data
recipient
 Refer to the Uses and Disclosures of Member IIHI/PHI policy [560-PL-001] located on the Corporate
Compliance/HIPAA Compliance Program intranet, for a detailed list of identifiable elements.

- Member Authorization Not Required
MedImpact may use and disclose Member IIHI/PHI in a protected and secure manner
without a Member’s written authorization in accord with the following:
 Treatment, Payment and Health Care Operations (TPO);
 Compliance with the Business Associate Agreement (BAA);
 Service Agreement (SA); or
As otherwise required by law, including, but not limited to,
assistance in disaster relief efforts as outlined on the following slide.

 MedImpact may use or disclose Member IIHI/PHI to a public or
private entity authorized by law to assist in disaster relief efforts,
for the purpose of coordinating the uses or disclosures permitted
by the Privacy Rule.
 The use and disclosure requirements under the Privacy Rule
prevail to the extent that MedImpact, in the exercise of
professional judgment, determines that the requirements do not
interfere with the ability to respond to the emergency
circumstances.
Disaster Relief – Member Authorization Not Required
Hurry click Next

– Minimum Necessary
The following examples show how the Minimum Necessary Rule applies:
 A Pharmacy contacts MedImpact and requests a specific claim’s status for payment. The response to the
Pharmacy should strictly address the claim payment status for that specific claim, and not reference other
claims for that Member. The Member may not always use that pharmacy for all prescription fills.
 An internal or external individual requests the status of a prior authorization. The response should only
include the specific information requested, and not disclose any additional Member IIHI/PHI.
It is MedImpact’s policy to use the minimum amount of IIHI/PHI necessary to achieve the
intended purpose of the use, disclosure, or request, also known as the Minimum
Necessary standard or rule.

- Business Associate Responsibilities
 Business Associate Agreement/Service Agreement (BAA/SA)
MedImpact’s BAA/SA outline contractual requirements between the Plan and
MedImpact. On behalf of the Plan, MedImpact must implement administrative,
physical, and technical safeguards that reasonably and appropriately protect the
confidentiality, integrity, and availability of the electronic IIHI/PHI that it creates,
receives, maintains, or transmits on behalf of the Plan.
 Business Associate Subcontractor Agreement (BASA)
MedImpact must require the same protections to any vendor/subcontractor using or
disclosing IIHI/PHI on MedImpact’s behalf. The BASA includes requirements for
subcontracted entities to protect the confidentiality, integrity, and availability of the
IIHI/PHI that the subcontracted entity creates, receives, maintains, or transmits on
behalf of MedImpact.

Protection of Member IIHI/PHI
The following slides outline MedImpact’s Protection of Member
IIHI/PHI procedure [560-PD-006], which include protection of internal
and external communications:
 E-mails (Outlook and Salesforce)
 Fax machines and systems
 Documents/reports and letters/mailed communications
 Inter-office mail
 Paper
 Document destruction
 Electronic media/transfer
 Removal of IIHI/PHI data
 Visual presentations and
 Oral discussions (in person and telephonic)
Make sure you read
the checklist. There is
a lot of information to
remember

Protection of Member IIHI/PHI -
Internal or External Communications
Outlook E-Mail:
 Is a secure method to exchange communications containing IIHI/PHI between
Employees and Non-Employees (contractors, temps and interns/volunteers) whose names
appear in MedImpact’s Outlook address book.
 Should not contain IIHI/PHI in the subject line.
 Automatically displays a confidential disclaimer statement for e-mail sent to anyone not
listed in MedImpact’s Outlook address book.
 Must be encrypted, when sending IIHI/PHI, by using MedImpact’s secure encryption
method if sent to anyone not listed in MedImpact’s Outlook address book.

Outlook E-Mail – Secure Send Feature
It is MedImpact’s policy when sending an email containing IIHI/PHI to a recipient outside of MedImpact to
ALWAYS send the email via MedImpact’s send secure method – now the Send Secure button.
Outlook e-mails containing IIHI/PHI sent to anyone other than an Employee or Non-Employee must be transmitted by
using MedImpact’s encrypted Send Secure button feature. It is very important for MedImpact Employees and Non-
Employees to adhere to MedImpact's secure encryption method when exchanging IIHI/PHI electronically to remain
compliant with new federal requirements, and avoid costly penalties! You can find more detailed information about the
send secure button by referring to the intranet – MedReference – User Guides – Other (Tumbleweed User Guide) or
contact IT Security.
Additionally, the Send Secure button should also be used when sending other confidential and proprietary
information, such as proposals, contracts, etc., to individuals located outside of MedImpact.
Whenever possible, please use an alternative encrypted secure method to exchange IIHI/PHI electronically. See
slide entitled "Rules for Electronic Transfer".
Please contact IT Security to discuss secure options for exchanging IIHI/PHI (i.e., VPN, FTP, etc.)

Protection of Member IIHI/PHI –
Rules for using IIHI/PHI in Salesforce
SalesForce is MedImpact’s central repository for Plan related communication.
 Salesforce E-mail = No IIHI/PHI
Salesforce is not housed on MedImpact’s server; therefore, Salesforce e-mail transmissions are not encrypted.
Salesforce e-mails sent to anyone must not contain any IIHI/PHI (including MedImpact Employees or Non-Employees
and Plans).
 Salesforce Cases = Minimum IIHI/PHI
A Salesforce case may generally reference an issue involving IIHI/PHI, but the case must not contain the detailed
IIHI/PHI. The detailed IIHI/PHI must be followed up by other means (e.g., a separate Outlook e-mail or telephone call).
 Salesforce Documents and Attachments = IIHI/PHI
Documents and attachments containing IIHI/PHI can be attached to a Salesforce case via the FTP application but
cannot be sent via the Salesforce e-mail function.
Note: Refer to the Salesforce Business Rules/Best Practices document
maintained by MedImpact’s Salesforce Administrators

External Communications
Rules for sending IIHI/PHI via Fax
 Use extra caution when dialing fax numbers manually and
transmitting faxes containing IIHI/PHI.
 The fax cover page must display the confidential disclaimer in the footer
area, as later described in this training course.
 Clearly identify the intended recipient and include your name and contact
information.
 Do not include IIHI/PHI in the subject line or on the fax cover page (except
for Medication Request Forms).
- A claim number, prior authorization number, or medication name may be
used alone in the subject line or on the fax cover page.
 Remember the Minimum Necessary rule!

Rules for sending IIHI/PHI via Documents/Reports and Letters/Mailed
Communication
 Documents, reports, letters and other mailed communication containing IIHI/PHI should display the
confidential disclaimer in the footer area, as later described in this training course.
 Envelopes:
 Compare the name and address on the envelope with the name and address included in the body of
the letter, and confirm that enclosures are appropriate for the intended recipient.
 IIHI/PHI elements must not be visible in the envelope window (e.g., Member’s date of birth, Social
Security Number, and Member identification number).
 A non-windowed envelope should be used and separately addressed in the event the address is not
included in the body of the letter.
 Business unit mailboxes/in-boxes should be placed in areas with limited access.
Remember the Minimum
Necessary Rule!

Rules for sending IIHI/PHI via Electronic Media (CD/DVD, etc.)
 Electronic media containing IIHI/PHI must be either encrypted or password protected
when sending to external recipients, including remote MedImpact Employees and Non-
Employees.
 Contact IT Security to learn how to encrypt electronic media containing IIHI/PHI (or send a
Salesforce Case to IT Security) and to learn about other secure encryption options
available to exchange IIHI/PHI.
 Electronic media containing IIHI/PHI should display the confidential disclaimer on the
electronic media label, as described in the Protection of Member IIHI/PHI - Confidential
Disclaimers slide.

 Rules for Electronic Transfer
MedImpact has established the following methods of protected connectivity for data transmission
and must be used to transmit secure/encrypted electronic files containing IIHI/PHI.
 Dedicated Line – A secure dedicated line established between the client and MedImpact’s site so data
is not transmitted over the Public Internet.
 Site to Site Virtual Private Network (VPN) (Internet) – A secure site to site VPN that can be configured
to use several encryption methods, including AES and 3DES.
 SecureTransport – A secure file transfer with the ability through an SSL, encrypted website.
 Neoteris – A secure client to site VPN capability through an SSL-encrypted website.
 FTP with PGP – For large file transfers, MedImpact supports FTP with PGP which provides encryption
of data prior to transferring over the Internet using the standard file transfer protocol.
Please contact IT Security to learn more about secure connectivity methods that are
available to meet various business needs.

Removal of IIHI/PHI Data from the Workplace
 Removing IIHI/PHI data from MedImpact is strongly discouraged
(for example, working on data containing IIHI/PHI at an off-site
working lunch meeting, working on data containing IIHI/PH from
home, etc.).
If an employee must work on a project involving IIHI/PHI while off-site,
then please obtain management approval and contact MedImpact's IT
Security Department to ensure a secure encrypted device is used.

Confidential Disclaimers
The following applicable confidential disclaimers, available on MedImpact’s Intranet – Corporate
Compliance/HIPAA Compliance Program, should be included in the footer area or on the electronic media label of
the following communications containing Member IIHI/PHI:
Fax Cover Page:
This transmission, together with any attachments, is intended only for the use of those to whom it is
addressed and may contain information that is privileged, confidential, and exempt from disclosure under
applicable law. If you are not the intended recipient, employee or agent responsible for delivering this
transmission, you are hereby notified that any distribution or copying of this transmission is strictly
prohibited. If you received this transmission in error, please contact the original sender immediately by
calling the contact number noted and immediately destroy all copies.
Letters and Mail:
This letter may contain confidential individually identifiable health information protected under the Health
Insurance Portability and Accountability Act of 1996. (“HIPAA”) and other statutes.
Documents and Reports:
The contents of this document [report] may contain confidential individually identifiable health
information protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
and other statutes.

Confidential Disclaimers (Continued)
The contents of this package may contain confidential individually identifiable health information protected
under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other statutes.
Outlook E-Mail - External:
The following disclaimer statement is automatically populated at the bottom of every e-mail:
This transmission, together with any attachments, is intended only for the use of those to whom it is
addressed and may contain information that is privileged, confidential, and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that any distribution or copying
of this transmission is strictly prohibited. If you received this transmission in error, please notify the original
sender immediately and delete this message, along with any attachments, from your computer.
Electronic Media (e.g., compact discs, tapes, cartridges):
The following disclaimer should appear on MedImpact’s FTP (File Transfer Protocol) server:
The contents of this FTP server may contain confidential individually identifiable health information
protected under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and other
statutes.
FTP Site:

Internal Communication
 Desks, file rooms, or open area storage systems that do not have the ability to be locked
should contain reasonable safeguards to protect IIHI/PHI, especially after hours.
 Observable files and documents containing IIHI/PHI should be adequately shielded and never
left unattended. Never leave documentation containing IIHI/PHI unattended on photocopiers
and printers.
 Documents containing IIHI/PHI that must be shared inter-departmentally should be sent in
inter-office envelopes or hand delivered to the recipient promptly.
 As an added precaution, a sealed envelope may be utilized inside the inter-office envelope.
 Documents or files ready for destruction must be disposed of immediately in designated
“Shred-it®” bins. (See next slide for more details)
Paper

 Such documents include all paper documents that contain IIHI/PHI and company
information, such as Social Security Numbers, Member Identification Numbers, Member
drug prescriptions, company financial records, histories, or other relevant information.
 Documents or files ready for destruction must be disposed of immediately in designated
“Shred-it®” bins.
 Storage/File rooms that house documents or files containing IIHI/PHI that cannot be
disposed of immediately should be locked after business hours and when authorized staff is
not present.
Rules for disposing Paper documents containing IIHI/PHI
Paper documents containing company confidential information and/or IIHI/PHI
awaiting disposal must be disposed of immediately in Designated “Shred-it®” Bins
Nessy says, Shred-It if
you already read it

Rules for Disposing Plastic Electronic Media Containing IIHI/PHI
 Plastic Magnetic Media (CDs, cartridges, disks, tapes, etc.) containing IIHI/PHI must be
disposed of in designated disposal consoles.
 Under NO CIRCUMSTANCES should the plastic magnetic media be disposed of in the paper
Shred-it® bins or in unsecured dumpsters.

Visual
Visibility of computer monitors should be limited to authorized individuals. Methods
for limiting visibility include, but are not limited to:
 Clearing information from your monitor when you are not
actively using the information
 Using password protected screen savers
 Turning off your computer
 Logging out of the network when not at your desk

Verbal/Oral
You should be aware of the potential for Unauthorized Disclosures of IIHI/PHI during
conversations.
You should be aware of areas most appropriate to discuss information referencing
IIHI/PHI and the levels of potential for Unauthorized Disclosures.
Low Potential: Enclosed offices & conference
rooms.
Medium Potential: Telephone & individual cubicles.
High Potential: Public areas, reception areas,
shared cubicles, elevators & restrooms or where clients
may be present.

Identity & Authority Verification
How do we know the person we are providing IIHI/PHI to is allowed to have it?
Verbal/Oral – Telephone
 Verify the identity and authority of a caller, as described in the following slides.
 A voicemail message for a Member should only request a return call, providing only your
name and phone number. Voicemail messages should not include detailed IIHI/PHI.
 Remember the Minimum Necessary Rule!
MedImpact accepts the Member’s verbal/oral designation of a Personal Representative for a
use or disclosure request following verification of the Member’s identity and authority and the
Member’s agreement, for the duration of the telephone contact.

Identity and Authority Verification
The following slides outline MedImpact’s Identity and Authority Verification
procedure [560-PD-009] for:
 Members;
 Personal Representatives;
 Health Care Organizations (i.e., Plan);
 Health Care Practitioners (i.e., physician);
 Pharmacies; and
 All Other Requests.

Identity and Authority Verification -
Overview
 MedImpact reasonably relies on the professional judgment of MedImpact
staff and the affirmations of Members, Personal Representatives, health care
organizations, health care practitioners, pharmacies and others involved in the
health care or payment of a Member in verifying the authority to receive
IIHI/PHI.
You may share IIHI/PHI with Personal Representatives and others involved
with the health care or payment of the Member, which is outlined in the next
several slides.
You should verify Member information only after the individual requesting
the IIHI/PHI provides basic Member information that is confirmed by
MedImpact’s records.

Personal Representatives of Members
 A Personal Representative is an individual authorized to act on behalf of the Member in making health
care related decisions. A Personal Representative may include, but is not limited to, family members,
close personal friends and health care providers.
 In the event that a Member’s Personal Representative contacts MedImpact and requests use or
disclosure of IIHI/PHI, MedImpact requires that the Personal Representative provide the following
information for identity and authority verification:
Exception - Medicare Part D - In the event a Medicare Part D Appointed Representative contacts MedImpact and
requests uses or disclosures of IIHI/PHI, you should follow established departmental processes to verify the identity and
authority of the Appointed Representative, according to Medicare Part D requirements.
 Personal Representative name
 Member name
 Member Identification number
Member or policyholder birth date and
 Prescription drug name

Following the identification and authority verification process described on the previous slide, MedImpact
determines if a valid, written authorization document designating a Personal Representative has been
provided by the Member’s Plan. Upon receipt of the Plan approved authorization forms, the applicable
MedImpact Employee or Non-Employee documents the Plan's direction and authorization form details in the
MedAccess Member Main screen comment log for the applicable Member record.
In cases where a valid written authorization is on file, the IIHI/PHI may be provided according to the request.
In cases where MedImpact has no record of a Personal Representative designated by the
Member or an existing authorization document is not valid, an Employee/Non-Employee
may reasonably rely on their professional judgment and the affirmations of Members,
Personal Representatives, health care organizations, health care practitioners,
pharmacies and others involved in the health care or payment of a Member in verifying
the authority to receive IIHI/PHI.

 Date of the authorization.
 Member information.
 Individual to whom the Member designates as the Personal Representative.
 Purpose of designation.
 Expiration date.
 Member acknowledgement of the expiration date.
 Member acknowledgement that the authorization may be revoked at any time.
 Member acknowledgement that a paper copy of the authorization may be requested at any time.
 Member signature.
 Date of Member signature.
The following elements should be verified to validate the authorized Personal
Representative document:

Health Care Organizations, Health Care
Practitioners and Pharmacies
 Member name.
 Member birth date.
 Name of health care organization, health care practitioner or pharmacy.
 NABP or NPI, if pharmacy.
 Name of individual calling on behalf of the health care organization, health care practitioner or pharmacy.
 Prescription drug name.
In the event a health care organization, health care practitioner or pharmacy contacts MedImpact
and requests use or disclosure of IIHI/PHI, MedImpact requires that the health care organization,
health care practitioner or pharmacy provide the following information for identity and authority
verification:

Identity and Authority Verification – All
Other Requests
 If you receive a request for uses or disclosures of IIHI/PHI from entities or individuals who
are neither a Personal Representative or Appointed Representative (Medicare Part D), nor
a health care organization, practitioner or pharmacy, then the individual and/or request
should be referred to the Regulatory Compliance or Legal Department, who will establish
the individual’s or entity’s identity and authority to receive the requested IIHI/PHI.
 The following slides explain what to do if IIHI/PHI is released to someone not authorized to
receive it.

Potential Unauthorized Disclosures and/or Breaches
of Member IIHI/PHI- Internal Reporting Process

Potential and Deliberate Unauthorized
Disclosures and/or Breaches of Member IIHI/PHI -
Overview
In the event that any element of IIHI/PHI is released to an
unintended recipient, it is considered a Potential Unauthorized
Disclosure and must be reported to the Regulatory Compliance
Department. For example, releasing IIHI/PHI to the wrong
physician’s office, Plan, Member or any other unintended
recipient via fax, e-mail, paper, disc, or any other method.
A Breach is an Unauthorized Disclosure of IIHI/PHI that results in
the unauthorized acquisition, access, use, or disclosure of PHI
which compromises the security or privacy of such information,
except where an unauthorized person to whom such information
is disclosed would not reasonably be able to retain such
information.

Potential and Deliberate Unauthorized
Disclosures and/or Breaches of Member IIHI/PHI
The following slides outline the process for reporting Potential and Deliberate
Unauthorized Disclosures and/or Breaches of IIHI/PHI in accord with the following
documents located in the HIPAA Compliance section of the Corporate Compliance
Program Intranet site:
 Internal Reporting - Potential Unauthorized Disclosures and/or Breaches of
Member IIHI/PHI [560-PD-007]
 Use and Disclosure of Member IIHI/PHI [560-PL-001] and
 Corporate Compliance Program.

Potential Unauthorized Disclosures and or
Breaches of Member IIHI/PHI – Reporting: Internal
Process
 The reporting process involves the applicable department Management (Manager or
above, i.e. Director, Vice President or Senior Vice President) to report the Potential
Unauthorized Disclosure and/or Breach to the Regulatory Compliance Department for
final determination.
In situations where it is determined by Regulatory Compliance that an Unauthorized
Disclosure and/or Breach occurred as defined by the Privacy Rule, the applicable
department Management reports the incident to the Plan within required contractual
timeframes, in coordination with the Regulatory Compliance Department.
Internal Process

Potential Unauthorized Disclosures and/or
Breaches of Member IIHI/PHI Reporting
If you become aware of a Potential Unauthorized Disclosure and/or Breach of IIHI/PHI,
then follow these steps:
 Ensure the IIHI/PHI is sent to the correct recipient;
 Confirm that the unintended recipient shredded or destroyed the IIHI/PHI;
 Report the Potential Unauthorized Disclosure and/or Breach to your department Manager (or above);
 Meet with your department Manager (or above) to ensure all reporting elements are gathered;
 Review processes for improvements; and
 Your department Manager (or above) submits the completed and signed Internal Reporting Form to the
Regulatory Compliance Department, within three (3) business days, in accord with the reporting
mechanisms identified on the Corporate Compliance/HIPAA Compliance Program Intranet site, and the
applicable P&Ps.

Deliberate Unauthorized Disclosures and
Breaches of Member IIHI/PHI
 Deliberate Unauthorized Disclosures and Breaches of IIHI/PHI to unauthorized recipients are not permitted
by federal or state law or MedImpact.
Deliberate Unauthorized Disclosures and Breaches of IIHI/PHI must be reported to Corporate Compliance,
in accord MedImpact’s Corporate Compliance Program, and MedImpact’s Uses and Disclosures of Member
IIHI/PHI [560-PL-001] policy located on the Corporate Compliance Intranet site.
A MedImpact Employee/Non-Employee using IIHI/PHI for non-work related purposes i.e., using
Member financial, prescription or demographic information for personal gain.
Example:

Training Course Review
A short quiz is
coming soon

 IIHI/PHI: Must be protected and the identity and authority of individuals requesting IIHI/PHI must be verified.
 Document Destruction: Paper documents containing company confidential information and/or IIHI/PHI awaiting disposal must be disposed
immediately in designated “Shred-it®” Bins.
 Plastic Magnetic Media Destruction: Plastic magnetic media (CDs, cartridges, disks, tapes, etc.) containing IIHI/PHI must be disposed in
special consoles.
 External E-mail: MedImpact’s secure encryption method must be used to send IIHI/PHI via Outlook e-mail to external recipients. Do not send
Salesforce e-mail containing IIHI/PHI.
 Removal of IIHI from MedImpact: This is not recommended. If you are working on a project containing IIHI/PHI that requires removal from the
MedImpact workplace, then notify your management and contact MedImpact's IT Security Department to ensure a secure encrypted device is used.
Minimum Necessary: The limitation of disclosed IIHI/PHI to accomplish the intended purpose of the use, disclosure, or request.
 Personal Representative: MedImpact requires that the Personal Representative provide his/her name; Member name; Member identification
number; Member or policy holder date of birth; and prescription drug name.
 Potential Unauthorized Disclosures and/or Breaches: MedImpact maintains an internal reporting process to report Potential Unauthorized
Disclosures and/or Breaches of IIHI/PHI, as described in the Internal Reporting – Potential Unauthorized Disclosure and/or Breaches of Member
IIHI/PHI [560-PD-007] procedure.
 Treatment, Payment or Health Care Operations (TPO): MedImpact may use or disclose IIHI/PHI without Member authorization for its own
TPO purposes.
You have reached the end of the first half of the HIPAA Privacy Rule training course. In just a moment, you will
take a short quiz on what you have learned in this training course thus far. Before you take the quiz, here are
some of the main points presented in the first half of this training course.

Time to Test Your Knowledge…
 Now you are ready to answer 5 questions based on what you have read in this training course. Answer each
question by clicking on “Submit your answer”. you will learn if your answer is correct or incorrect.
 When your answer is correct, you will be directed to the next slide. A brief summary of the correct
response will be provided to you.
 When your answer is incorrect, You will be given (1) additional attempt to provide the correct answer
before your are directed to the next slide.
You must score at least an 80% to get
credit for this course.

Privacy Rule Training Quiz Question
1. You accidently e-mail a Pharmacy report containing Member IIHI/PHI to an
unintended recipient. According to MedImpact’s procedures, which of the
following steps should be followed:
A. Ensure the IIHI/PHI is sent to the correct recipient and confirm that the
unauthorized recipient shredded or destroyed the IIHI/PHI.
B. Report the Potential Unauthorized Disclosure and/or Breach to your Manager (or
above) and meet with your Manager (or above) to ensure all reporting elements
are gathered and processes for improvements are reviewed.
C. Your Manager (or above) submits the completed and signed Internal Reporting
Form to the Regulatory Compliance Department, within three (3) business days.
D. All of the above.

Review
Very good, you answered correctly!
The correct answer is D: All of the above.
REVIEW AND LEARN MORE!
A Potential Unauthorized Disclosure and or Breach of IIHI/PHI must be reported to your department Manager (or
above) and your department Manager (or above) must report the Potential Unauthorized Disclosure and/or Breach to
the Regulatory Compliance Department within three (3) business days of becoming aware, per the Internal
Reporting – Potential Unauthorized Disclosures and/or Breaches of Member IIHI/PHI procedure [560-PD-007].
MedImpact has contractual obligations as a Business Associate of certain client Plans, which require MedImpact to
report such Disclosures and/or Breaches within specified timeframes.
You accidently e-mail a Pharmacy report containing Member IIHI/PHI to an unauthorized recipient.
According to MedImpact’s procedures, which of the following steps should be followed:

2. A Personal Representative of a Member calls MedImpact to inquire about a recent claim
submitted. According to MedImpact’s policies and procedures, what information must the
Personal Representative provide for Identity and Authority Verification?
A. Personal representative name, member name, member ID number, member or policy holder
date of birth, prescription drug name.
B. Personal representative name, personal representative address, personal representative
drivers license number, personal representative date of birth

Review
Per the Identity and Authority Verification procedure [560-PD-009], located on MedImpact’s Intranet – Corporate
Compliance/HIPAA Compliance Program, MedImpact requires that a Personal Representative provide the information noted
above for identity and authority verification.
2. Personal Representative of a Member calls MedImpact to inquire about a recent claim submitted.
According to MedImpact’s policies and procedures, what information must the Personal
Representative provide for Identity and Authority Verification:
The correct answer is A: Personal representative name, member name, member ID number,
member or policy holder date of birth, prescription drug name.

3. You are working on a project containing Member IIHI/PHI that requires removal from the
MedImpact workplace. What should you do in this situation?
A. Contact your management.
B. Contact IT Security to ensure secure encrypted device is used.
C. Remove the IIHI/PHI from the MedImpact without contacting your management or IT
Security
D. Both A and B.

3. You are working on a project containing Member IIHI/PHI that requires removal from the MedImpact
workplace. What should you do in this situation?
The correct answer is D: Both A and B.
Review
It is not recommend for Employees to remove data from the MedImpact workplace containing IIHI/PHI. If you are working
on a project containing IIHI/PHI that requires removal from the workplace, please contact your management and
Medmpact's IT Security Department to ensure a secure encrypted device is used. For more information, see the
Protection of Member IIHI/PHI procedure [560-PD-006].

4. You have been directed to organize your department work area. Which type(s) of material
should you toss in the Shred-it® bin?
A. Any recyclable paper not containing Member IIHI/PHI.
B. Trash, candy wrappers, empty water bottles and tissues.
C. Any documentation containing company confidential information and/or IIHI/PHI, such as
name, address, date of birth, Social Security Number or Member identification number.

4. You have been directed to organize your department work area. Which type(s) of material
should you toss in the Shred-it® bin?
The correct answer is C: Any documentation containing company confidential information and/or
IIHI/PHI, such as name, address, date of birth, Social Security Number or Member identification
number.
Review
All documents containing Member IIHI/PHI, should be disposed in secure “Shred-it®” bins located in designated locations,
in accordance with the Protection of Member IIHI/PHI procedure [560-PD-006] located on MedImpact’s Intranet –
Corporate Compliance/HIPAA Compliance Program.

5. A Plan e-mails Member IIHI/PHI to you and requests that you research an issue and
provide an e-mail response by close of business day. You research the issue and find additional
IIHI/PHI to support your response to the Plan. You draft an e-mail response containing IIHI/PHI.
According to MedImpact’s procedures, what is the next step you must take before sending an
Outlook e-mail that contains IIHI/PHI to an external recipient?
A. Send the response to the Plan with the requested information and ensure the appropriate
confidential disclaimer is in the footer.
B. Use the minimum amount of IIHI/PHI necessary to fulfill the intended request and encrypt
the email upon sending, using the Outlook Send Secure Button.
C. Spell check your e-mail and send.

5. A Plan e-mails Member IIHI/PHI to you and requests that you research an issue and
provide an e-mail response by close of business day. You research the issue and find additional
IIHI/PHI to support your response to the Plan. You draft an e-mail response containing IIHI/PHI.
According to MedImpact’s procedures, what is the next step you must take before sending an
Outlook e-mail that contains IIHI/PHI to an external recipient?
The correct answer is B: Use the minimum amount of IIHI/PHI necessary to fulfill the intended
request and encrypt the email upon sending, using the Outlook Send Secure Button.
Review
MedImpact’s secure encryption method MUST be used when an Outlook e-mail containing Member IIHI/PHI is
sent to individuals other than MedImpact Employees or Non-Employees. The Outlook Send Secure Button must
be used even when responding to an original e-mail containing Member IIHI/PHI that was not originally encrypted
by the sender.
Refer to IT Security for additional information regarding MedImpact’s secure encryption method.

Member Privacy Rights
Congratulations!
You have completed Part 1 of this training course!
Part II of this training course explains how MedImpact supports its Plans when
Members request certain Privacy Rights and Plans approve those requests.
As a Business Associate (BA), MedImpact is required to implement Member Privacy
Right requests on behalf of Plans.
A Member is informed of his/her Privacy Rights under the Privacy Rule by way of a
Notice of Privacy Practices document provided by his/her Plan.

Training Course Review Completed
We are ½
way there

Module II
Everybody
let’s go!

Member Privacy Rights
The following slides summarize the Member Privacy Rights and reference applicable
procedure documents implementing a Member’s Privacy Right request.
 Right to Request Privacy Protection for Member IIHI/PHI
 Right to Request Restrictions of Uses and Disclosures of Member IIHI/PHI
 Right to Request Rerouting of Confidential Communications of Member IIHI/PHI
 Right to Request Access or Amendment to Member IIHI/PHI
 Right to Request an Accounting of Disclosures of Member IIHI/PHI

Member Privacy Rights –
Right to Request Privacy Protection for Member
IIHI/PHI
 MedImpact may use or disclose IIHI/PHI without Member authorization for TPO
purposes.
 A Member has the right to request privacy protection for IIHI/PHI that may affect
standard TPO processes, including but not limited to: claims, benefits, eligibility,
coordination of benefits, Plan audits, and discussions with pharmacies, providers
or Members.
 In cases where a Member requests that a Plan restrict the disclosure of his/her
IIHI/PHI, the Plan must comply with the requested restriction if:
 The disclosure is to a health plan for purposes of carrying out payment or health care
operations (and is not for purposes of carrying out treatment); and
 The IIHI/PHI pertains solely to a health care item or service for which the health care
provider involved has been paid out of pocket in full.

Right to Request Privacy Protection for Member
IIHI/PHI
Privacy Protection may be requested in the following two ways and must be
approved by the Plan:
 Restriction on the uses and/or disclosures of IIHI/PHI.
Example: A Member’s restriction request requires that MedImpact does not
provide the Member’s ex-spouse any IIHI/PHI about him/her.
 Rerouting of Confidential communications of IIHI/PHI by alternative means or at alternative
locations. Rerouting of Confidential communications involve direct communications between
MedImpact and the Member.
Example: A Member requests that his/her IIHI/PHI is sent to an alternate
address or by fax instead of U.S. Mail.
Detailed procedures regarding implementing and terminating these requests are outlined in the
Right to Request Privacy Protection for Member IIHI/PHI procedure [560-PD-004] located in the
HIPAA Compliance section of the Corporate Compliance Intranet site.

Member Privacy Rights -
Member Privacy Protection Requests
MedImpact does not take Privacy Right requests received directly from
Members.
If you receive a Privacy Right request directly from a Member, you must:
Inform the Member that the request is required to be routed through the Plan that
provided the Notice of Privacy Practices to the Member and provide the Member
with the Plan contact information; and
Inform the Member that the Plan manages the process
and initiates the request according to its own internal
policies and procedures.
Nessy, does
not take
Member
Privacy Right
request directly
Privacy Right Requests

Member Privacy Rights -
Plan Privacy Protection Requests
 MedImpact takes Privacy Protection requests received directly from Plans.
All requests are routed to the appropriate MedImpact CSS.
 Upon receipt, the CSS completes the Internal Reporting Form for Request for Privacy Protection
within one (1) business day, and sends the completed Form along with the written approval from the
Plan to the Regulatory Compliance Department for review and record keeping purposes.
 Upon the Regulatory Compliance Department review, the CSS works with the Plan regarding
implementation.

How to Implement and Identify a
Request for Privacy Protection in MedAccess
You have learned how to respond to a Member
and Plan requesting Privacy Protection.
The following slides demonstrate how to
identify and implement a Privacy Protection
request in the MedAccess member record.

Privacy Protection Request Implementation
A Plan may choose to either implement the request or have MedImpact implement the request
in MedAccess.
The “CONFDNTL” Field in the Member Maintenance Screen contains a flag that identifies
whether a Privacy Protection exists for a Member, which is outlined in the next two slides.

Privacy Protection Request
Implementation by Plan
 Plan must implement P Flag in applicable CONFDNTL Field by changing its Member
eligibility files to accommodate the CONFDNTL Field.
 MedImpact can not implement a P Flag in MedAccess since Plan eligibility files will
overwrite a P Flag. Eligibility files must be changed and the P Flags must then be
managed by the Plan.
 CONFDNTL Field P Flag entry can be edited by Plan.
P Flag – Plan Implementation in MedAccess –
Change Eligibility Files

Privacy Protection Request Implementation
by MedImpact
C Flag – MedImpact CSS Implementation in MedAccess – No Change to
Plan Eligibility Files
 Plan or MedImpact can implement directly in MedAccess without changing Plan
eligibility files.
 If a C Flag is in the CONFDNTL Field, then the entire Member record can not be
overwritten by future eligibility file loads.
 Since Member records can not be overwritten, error messages will occur for all
future automatic edits or updates made to the Member record. Therefore, manual
edits are required to ensure continued accuracy of the information contained in the
Member Record.

How to Identify a Member’s Privacy
Protection “Confdntl” Flag in MedAccess
The “Confdntl” (confidential) flag field in the MedAccess Member Maintenance screen
contains information regarding member restrictions.
The Member Maintenance screen contains the “Special Handling” banner at the top.
C
Y

How to Identify a Member’s Privacy
Protection “Confdntl” Flag in MedAccess
 If there is a value (typically a “C” or a “P”) in the “Confdntl” flag field found in the MedAccess
Member Maintenance Screen, then a Special Handling banner appears on the top of the
screen.
 If a value appears in the “Confdntl” flag field, then place the cursor on the “Confdntl” flag
field, select “F8” and the Special Handling Notes field appears.
 Special Handling Notes Field – contains the details regarding the specific Privacy
Protection.
 Use CTRL+Y to open the full Special Handling Notes screen notes display and follow
the instructions.

How to Request Access or Amendment to
Member IIHI/PHI and Request an Accounting
of Disclosures
Now you have learned how to:
 Respond to Member and Plans; and
 Identify and implement the MedAccess “CONFDNTL” flag field
The following SLIDE SHOW indicates how to
respond to a Plan request for access and
amendment to Member IIHI/PHI and a Plan request
for an Accounting of Disclosures.

Request Access to Member IIHI/PHI
Right to Request Access to Member IIHI/PHI
 On behalf of a Member, a Plan has the right to require that MedImpact allow a Member access to
inspect and obtain a copy of his/her IIHI/PHI in a Designated Record Set (DRS), for as long as the
IIHI/PHI is maintained in the DRS and IIHI/PHI maintained by MedImpact.
 The following slide is an example of the data elements contained in a Business Objects DRS report
generated by the CSS, in accord with the Right to Request Access or Amendment to Member
IIHI/PHI procedure [560-PD-002].

Request Access to Member IIHI/PHI: DRS Report
Data Elements
Basic Member
Information
Claim Adjudication Information Prior Authorization/MRF
Member Number Rx# (unique number per claim) PA#
Full Name Fill Date Drug Name
Birth Date Pharmacy Name Strength
Gender Pharmacy Address NDC
Address NDC (The first 5 characters represent the manufacturer of the drug. The
next 4 characters represent the ingredient and form. The last two
characters represent the package type.)
Qty
Plan Drug Name Days Supply
Days Supply Count
Qty Co-Pay
Compound (If code = 2, then the drug is a compound; otherwise the drug is
not a compound.)
Start Date
PA# Physician Name
Formulary
Physician Name
The following data elements are included in a DRS report generated by the CSS, in accord with the
Right to Request Access or Amendment to Member IIHI/PHI procedure [560-PD-002].

Member Privacy Rights – Request
Amendment to Member IIHI/PHI
A Plan, on behalf of the Member, may request that MedImpact implement a request to amend
IIHI/PHI in a DRS. The following process is initiated upon MedImpact’s receipt of this type of request:
The request is directed to the appropriate CSS.
The request must be submitted to MedImpact in writing and should include the original Member request and
documentation of Plan approval of the request.
The CSS routes the request to the Regulatory Compliance Department by the following methods:
• Outlook E-mail (Regulatory Compliance group);
• Inter-office Envelope; or Orally.
After reviewing the Request:
• If the Regulatory Compliance Department approves MedImpact fulfilling the Request, the Regulatory Compliance
Department notifies the CSS of its approval and direction to proceed with amending the Member’s IIHI/PHI in the DRS.
• If the Regulatory Compliance Department does not approve the Request, the Regulatory Compliance Department
notifies the CSS and the CSS discusses the non-approval with the Plan.
• If the Request is approved, the CSS:
• Amends the DRS report according to Request;
• Prints the DRS report from Business Objects or MedOptimize; and
• Forwards the Amendment of IIHI/PHI Request - Optional Fulfillment Letter or alternate form of communication to the Plan, including
the amended DRS report, if applicable.

Member Privacy Rights – Accounting of
Disclosures
A Plan may require MedImpact to implement a request for an accounting of Disclosures on
behalf of a Member. MedImpact implements such requests in accord with the Right to Request
an Accounting of Disclosures of Member IIHI/PHI procedure [560-PD-003], which outlines the
following:
 On behalf of a Member, a Plan may request an accounting of Disclosures of IIHI/PHI made by
MedImpact in the six (6) years prior to the date of the request, except for Disclosures made before
April 14, 2003.
 Such accounting includes the date of the Disclosure, the name of the recipient and, if known, the
address of the recipient, a description of IIHI/PHI disclosed and the purpose of the disclosure.
 An accounting of Disclosures does not include disclosures made by MedImpact for TPO purposes or
as otherwise authorized by the Member.
 The request is directed to the appropriate CSS from the Plan.
 The CSS forwards the request and related documentation to the Regulatory Compliance
Department.
 The Regulatory Compliance Department completes the accounting of Disclosures report and returns
the report to the CSS.

You have reached the end of the second half of the HIPAA
Privacy Rule Training course.
A short quiz is
coming soon

Here are some of the main points presented in the second half of this training course.
Right to Request Privacy Protection for Member IIHI/PHI
Restriction of Uses and Disclosures of Member IIHI/PHI: Restriction placed on the Plan, or
MedImpact as a BA, on uses and disclosures of IIHI/PHI about the Member to carry out
Treatment, Payment, or Health Care Operations (TPO).
Rerouting of Confidential Communications: Conditions placed on the Plan, or MedImpact as a
BA, sending confidential communications to a Member containing IIHI/PHI by alternative means or
alternative locations.
A Member has the right to request privacy protection for his/her individually identifiable health
information (IIHI) and protected health information (PHI) disclosed by either the Plan or MedImpact, as
the Business Associate (BA) of the Plan.
As a BA, MedImpact receives Plan communication (oral or written) regarding a Member’s
Request for privacy protection of IIHI/PHI. An assigned Client Service Specialist (CSS) manages
the Request process. MedImpact’s process identifies procedures according to the details of the
Request options which include:

Right to Request Access or Amendment to Member IIHI/PHI
A Member has the right to request or amend his/her individually identifiable health information (IIHI) and
protected health information (PHI) in a Designated Record Set (DRS), for as long as the IIHI/PHI is
maintained in the DRS.
As a Business Associate (BA), MedImpact receives Plan communication regarding a Member’s Request
for access or amendment to IIHI/PHI. An assigned Client Service Specialist (CSS) manages the Request
process.
A Member has the right to request an accounting of disclosures of IIHI/PHI made by a Plan, or MedImpact
as the Business Associate (BA) of the Plan, in the six (6) years prior to the date on which the accounting is
requested, except for disclosures made before April 14, 2003.
As a BA, MedImpact receives Plan communication (oral or written) regarding a Member Request to an
accounting of disclosures of IIHI/PHI. An assigned Client Service Specialist (CSS) manages the Request
process.
Right to Request an Accounting of Disclosures of Member IIHI/PHI

Time to Test Your Knowledge…
 Now you are ready to answer 5 (five) questions based on what you have read in the second half of this
training course. Answer each question you believe is the most appropriate for the given situation by
clicking on “Submit your answer”. Each time you answer a question, you will learn if your answer is
correct or incorrect.
 When your answer is correct, you will be directed to the next slide. A brief summary of the correct
response is provided to you to expand your knowledge.
 When your answer is incorrect, You will be given (1) additional attempt to provide the correct answer
before your are directed to the next slide.
To pass this course
You must score at least an 80% between
both quizzes to receive full credit .

Member Privacy Rights Training
Quiz Question
1. Under the Privacy Rule, a Member may ask for the following:
A. A Restriction on uses and disclosures of IIHI/PHI.
B. Rerouting of Confidential Communications of his/her IIHI/PHI by
alternative means or at alternative locations.
C. Both A and B.
D. None of the Above.

Quiz Question - Review
The correct answer is C. A Member has a right to ask for both a Restriction on uses and
disclosures of IIHI/PHI and Rerouting of Confidential Communications of his/her IIHI/PHI by
alternative means or at alternative locations.
A Plan must permit a Member to request a Restriction on uses and disclosures of his/her or dependent IIHI/PHI. An
example of a Restriction is: A father of two members submits a request that restricts access to his children's medical
information from the children's mother. The father has sole physical and legal custody of the children per a court order
and the mother has no parental rights.
A Plan must permit a Member to request, and must accommodate reasonable requests, to receive communications of
IIHI/PHI by alternative means or at alternative locations. An example of a Rerouting of Confidential Communications is:
A husband separated from his wife and he wants his mail sent to an alternate address until his divorce is finalized and
no longer resides in the same location.
1. Under the Privacy Rule, a Member may ask for the following:

Quiz Question
2. You are a Customer Service Representative and you receive a request from a Member who is
asking you to exercise his/her Privacy Right to request restriction on uses and disclosures of
IIHI/PHI. As a Customer Service Representative, you are expected to be of service to those
requesting your assistance. In this instance, you should:
A. Inform the Member that the request is required to be routed through the Plan that provided
the Notice of Privacy Practices to the Member.
B. Give the requested information to the Member without verifying if MedImpact is responsible
for managing requests on behalf of the Plan.
C. Hang up on the caller.

2. You are a Customer Service Representative and you receive a request from a Member who is
asking you to exercise his/her Privacy Right to request restriction on uses and disclosures of
IIHI/PHI.
As a Customer Service Representative, you are expected to be of service to those requesting
your assistance. In this instance, you should:
The correct answer is A. Inform the Member that the request is required to be routed through the
Plan that provided the Notice of Privacy Practices to the Member.
A Member of a Plan is informed of his/her privacy rights under HIPAA as described in a Notice of Privacy Practices
provided by a Plan. The Plan is responsible for approving and terminating the Request.
A Plan or MedImpact may implement a Request, as outlined in the Right to Request Privacy Protection for
Member IIHI/PHI procedure [560-PD-004].

Quiz Question
3. Which of the following is false:
A. MedImpact implements Privacy Right requests received directly from Members.
B. MedImpact refers a Privacy Right request received directly from a Member to the
Member’s Plan that provided the Notice of Privacy Practices to the Member.
C. If the Plan approves the request, MedImpact will be advised by the Plan to implement the
Privacy Right request on behalf of the Member.

3. Which of the following is false :
The correct answer is A. MedImpact does not implement Privacy Right requests received
directly from Members.
A Plan Member is informed of his/her HIPAA privacy rights in a Notice of Privacy Practices provided by a Plan. The Plan is
responsible for approving the Request and providing written notification of the approved Request to its MedImpact CSS for
implementation or termination. If the Plan agrees to a restriction, MedImpact may not use or disclose IIHI/PHI in violation of
such a restriction, except when, the Member who requested the restriction is in need of emergency treatment and the
restricted IIHI/PHI is needed to provide the emergency treatment, MedImpact may use the restricted IIHI/PHI or may disclose
such information to a health care provider to provide such treatment to the Member and request that the health care provider
not further disclose the IIHI/PHI.

Quiz Question
4. True or False: On behalf of a Member, a Plan does not have the right to require that MedImpact
allow a Member access to inspect and obtain a copy of his/her IIHI/PHI in a Designated Record
Set (DRS).
A. True
B. False

4. A On behalf of a Member, a Plan does not have the right to require that MedImpact allow a
Member access to inspect and obtain a copy of his/her IIHI/PHI in a Designated Record
Set (DRS).
The correct answer is B. False. On behalf of a Member, a Plan has the right to require
that MedImpact allow a Member access to inspect and obtain a copy of his/her IIHI/PHI in
a Designated Record Set (DRS), for as long as the IIHI/PHI is maintained in the DRS,
except for: psychotherapy notes; information compiled in reasonable anticipation of, or for
use in, a civil, criminal, or administrative action or proceeding; and IIHI/PHI maintained by
MedImpact
For more information on how to run the HIPAA DRS Report, please refer to the Right to Request Access or Amendment of
Member IIHI/PHI procedure [560-PD-002] .

Quiz Question
5. What is included in an Accounting of Disclosures request?
A. Date of Disclosure, name of recipient, the address of the recipient (if known).
B. Disclosures made by MedImpact for Treatment, Payment or Health Care
Operations.
C. Description of IIHI/PHI disclosed and the purpose of the disclosure.
D. Both A and C.

5. What is included in an Accounting of Disclosures request?
The correct answer is D. Accounting of Disclosures includes: Date of Disclosure, name of
recipient, the address of the recipient (if known), a description of IIHI/PHI disclosed and the
purpose of the Disclosure. Accounting of Disclosures does not include Disclosures made by
MedImpact for Treatment, Payment or Health Care Operations.
An Accounting of Disclosures request submitted by the Plan must be submitted to MedImpact in writing and should include
the original Member request and documentation of the Plan approval of the request, as outlined in the Right to Request an
Accounting of Disclosures of Member IIHI/PHI procedure [560-PD-003].

Privacy Rule Training
As outlined in the HIPAA Privacy Rule Training
policy [560-PL-008], you may receive customized
training on topics concerning the uses and
disclosures of Member IIHI/PHI as necessary to
effectively carry out your role and responsibilities.

Privacy Rule Resources – Overview
MedImpact’s Privacy Officer is Lisa Byerley, Director of Regulatory Compliance.
Approach your supervisor or manager with questions relating to departmental procedures that support
MedImpact’s HIPAA Privacy Rule policies and procedures.
The Regulatory Compliance Department is available to answer questions or provide additional information
regarding HIPAA requirements or policies and procedures. You can contact the Regulatory Compliance
Department at:
Do you have any questions?
regulatorycompliance@medimpact.com
MedImpact’s
Privacy Officer
is Lisa Byerley

HIPAA Privacy Rule Resources
Policies and procedures and standard definitions summarized in this training course
that support the HIPAA Privacy Rule are available on MedImpact’s Intranet website,
under the Corporate Compliance/HIPAA Compliance Section, as shown on the next
slide.

Privacy Rule Resources –
Policies and Procedures
Uses and Disclosures of Member IIHI/PHI 560-PL-001
Right to Request Access or Amendment to Member IIHI/PHI 560-PD-002
Right to Request an Accounting of Disclosures of Member IIHI/PHI 560-PD-003
Right to Request Privacy Protection for Member IIHI/PHI 560-PD-004
Business Associate Responsibilities 560-PL-005
Protection of Member IIHI/PHI 560-PD-006
Internal Reporting – Potential Unauthorized Disclosures and/or Breaches of Member
IIHI/PHI
560-PD-007
HIPAA Privacy Rule Training 560-PL-008
Identity and Authority Verification 560-PD-009
The following policies and procedures are referenced throughout this HIPAA Privacy
Rule training course and are available to you on MedImpact’s Intranet – Corporate
Compliance/HIPAA Compliance, as illustrated on the previous slide. It is the
responsibility of all MedImpact Employees and Non-Employees to adhere to
MedImpact’s policies and procedures.

Policies and Procedures –
Your Responsibilities
You are responsible to adhere to MedImpact’s policies and
procedures. If your actions are determined to be outside the scope
of MedImpact’s policies and procedures, the specific issue is
addressed with your direct supervisor, and/or with a qualified
member of the Human Resources (HR) Department and Corporate
Compliance.
Dependent on the circumstances of the issue, disciplinary action
may be imposed, up to and including termination of employment.
Your manager (in conjunction with HR and Corporate Compliance,
where appropriate) works collaboratively with you to research the
circumstances, explain the identified actions, mitigate and initiate
necessary process improvement(s) that support MedImpact’s
policies and procedures.
All potential or suspected actions deemed outside the scope of MedImpact’s HIPAA policies and procedures
must be reported to the Regulatory Compliance Department.

Company Responsibilities
 The HIPAA Privacy Rule applies only to Plans, health care
clearinghouses, and certain health care providers. However, Plans often do
not carry out all of their health care activities and functions by themselves.
Instead, they often use the services of a variety of other businesses, such as
a pharmacy benefit management company (MedImpact).
The Privacy Rule allows Plans to disclose IIHI/PHI to Business Associates
(BA) (MedImpact) if the Plan obtains satisfactory assurances that the BA will
use the information only for the purposes for which it was engaged to
perform, will safeguard the information from misuse, and will help the Plan
comply with certain identified duties under the Privacy Rule.
If the Plan knows of a material breach or violation by the BA, the Plan is required to take reasonable steps to
cure the breach or end the violation, and if steps are unsuccessful, to terminate the contract or arrangement.
Therefore, it is important that you safeguard IIHI/PHI from misuse and help MedImpact comply with its
contractual obligations which support the Plan’s compliance efforts under the Privacy Rule.

The Federal HIPAA Privacy Rule & State
Privacy Laws
This training course is intended to only cover the federal HIPAA Privacy Rule
requirements.
Some state laws that regulate the protection of IIHI/PHI may be broader or more restrictive than the federal
HIPAA Privacy Rule regulations. Therefore, in some situations, state law may determine MedImpact’s
requirements over the federal regulations, which will be communicated separately by MedImpact’s Regulatory
Compliance Department.
MedImpact’s Regulatory Compliance Department is responsible for:
Identifying and analyzing applicable federal and state laws and
regulations that impact MedImpact business; and conveying the
requirements to the applicable business unit(s).

Congratulations!
Thank you for completing MedImpact’s required online HIPAA Privacy Rule Training.
By successfully completing the quiz, you have demonstrated your awareness and understanding of
safeguards to protect Member Individually Identifiable Health Information (IIHI) and Protected Health
Information (PHI) and MedImpact’s policies and procedures that support the HIPAA Privacy Rule.
Your time and participation will help MedImpact meet the requirements of the HIPAA Privacy Rule and, most
important, help MedImpact to protect the privacy and confidentiality of our Members’ IIHI/PHI.
Please go to the next slide to read and acknowledge the compliance statement.
Congratulations! You did a fantastic job!
Before you become Lochness Certified with
HIPAA 2010
You will need to agree to comply on the next slide

Compliance Statement
I acknowledge, understand and agree that it is my responsibility to read, understand and follow
MedImpact’s HIPAA Privacy Rule policies and procedures outlined in this training course.
If I do not understand a particular policy or procedure, I will contact my supervisor, the Regulatory
Compliance Department, or the HIPAA Privacy Officer for clarification.
I understand that MedImpact may change, rescind, or add to these policies and procedures from time to
time. I will be advised of material changes within a reasonable time frame.
To Complete this Training Course:
You must AGREE TO COMPLY with the information, policies and procedures in this training course.
Click the “I Agree to Comply” button and then receive your final score.
You must PASS this course with an 80% to receive credit for completing this training course.
Your training transcript and completion certificate will be available in the LMS after you exit this course

HIPAA Training Instructional Design Example

Recommended

Recommended

More Related Content

Similar to HIPAA Training Instructional Design Example

Similar to HIPAA Training Instructional Design Example (20)

More from Corrie Woolcott

More from Corrie Woolcott (13)

Recently uploaded

Recently uploaded (20)

HIPAA Training Instructional Design Example